feat(core): expose TLS ConnectionState (SNI) for DoQ (#8129)

DoQWriter previously stored only the QUIC stream, so plugins reading TLS state via dns.ConnectionStater (e.g. for SNI-based routing or auditing) could not see anything for DoQ connections, even though the underlying QUIC connection carries a full tls.ConnectionState. This change adds a *quic.Conn reference to DoQWriter and wires it in serveQUICStream. It implements dns.ConnectionStater on *DoQWriter, returning the TLS state from the underlying QUIC connection (mirrors the DoT behavior that miekg/dns already provides for *tls.Conn) Forwards ConnectionState through request.ScrubWriter, which wraps every response writer before the plugin chain runs; the embedded dns.ResponseWriter interface does not promote ConnectionState (it belongs to a separate interface), so without this plugins would still see nil for both DoQ and DoT Signed-off-by: Nicholas Amorim <nicholas@santos.ee>
2026-06-02 07:10:24 -04:00 · 2026-05-29 01:45:48 +03:00
parent 0bcb17df06
commit 6b93363b94
6 changed files with 196 additions and 1 deletions
--- a/core/dnsserver/quic_test.go
+++ b/core/dnsserver/quic_test.go
@@ -48,3 +48,11 @@ func TestDoQWriter_ResponseWriterMethods(t *testing.T) {
 		t.Errorf("RemoteAddr() = %v, want %v", addr, remoteAddr)
 	}
 }
+
+func TestDoQWriter_ConnectionStateNilConn(t *testing.T) {
+	writer := &DoQWriter{}
+
+	if state := writer.ConnectionState(); state != nil {
+		t.Errorf("ConnectionState() = %v, want nil when conn is unset", state)
+	}
+}